Does anyone happen to know where one could start self-teaching cryptography?
If you’re new to the subject I would recommend reading Simon Singh’s The Code Book, and David Kahn’s The Codebreakers. Between them you will get an excellent overview of the back and forth battle between makers and breakers of ciphers throughout history. Both should be available at your local library.
I’m not well versed in modern cryptography, yet. You might try Bruce Schneier’s classic Applied Cryptography. It might be a bit dated now, but on the upside Schneier himself posted a link on his blog to where you can download it free. Also I’ve heard that Coursera and Khan Academy both offer crypto courses online. I haven’t found the time to try either one, so I can’t recommend them yet.
Anyone else have resources to recommend?
The CourseRA course you mentioned (https://www.coursera.org/course/crypto) is by Stanford professor Dan Boneh. I took it back in 2012 and it is excellent. The lecture material is thorough and the lab work is tough but really helps build a complete understanding of the material.
I’ve been registered and waiting for Boneh’s Crypto II to launch; unfortunately, it’s been postponed four times now.
If you don’t know what regular expressions are, this photo might make your brain hurt. If you do know what regular expressions are, this photo probably makes your brain hurt anyway.
For the uninitiated (if you’re still reading), regular expressions are a system for matching patterns in strings or characters. So, for instance,
.*regular.* is a simple pattern that matches the first sentence of this paragraph.
Regular expressions are a powerful tool for programmers, but they can become extremely complicated. Let’s say you want to find lines in a log file that match a 9 digit number (like a SSN), but not if it’s part of a larger number. It’s a sort of black magic, but it happens to be black magic I’m particularly good at.
About eleven years ago, I was hired by an alumnus to write a parser that would crawl an company’s public directory of agents and extract the agents’ contact information into a convenient output. I did the project on the cheap to buy out the deadline, so I was afforded me the opportunity to learn Perl and get a handle on regular expressions. This was, in retrospect, one of the smartest decisions of my career.
A couple of weeks ago, I saw my peers on Twitter kicking around various links to a hexagonal regular expression crossword puzzle. It was fiendishly evil. I retweeted it as a curiosity, but then I let my brain start playing with the idea. How would you even get started?
Before you could say boo, I’d printed it off and had started attacking it with a pencil or two. Scribble in a character here and there, a block of five or six now and again… It’s pretty much like sudoku, if the rules were written by a sadist.
Sadly, I’m not sure exactly where it came from. The best link I can find is from kottke.org; if anyone has more authoritative attribution, please let me know.
News has been circulating about a war in Eve Online over system B-R5RB. The currency used in the game - ISK - has a USD valuation*, and this war has been estimated to have cost players of the game a total upwards of $330,000 USD. The Titan class vessel is valued starting above $2500, and over 70 such vessels were destroyed in the conflict. For the uninitiated, Eve Online features permadeath of a sort: if your ship is destroyed, it’s gone.
The conflict was started because the player corporation controlling the B-R5RB system essentially forgot to pay its bill to maintain that control. From some reports I’ve read, it’s not that they forgot as much as a user interface glitch caused them to believe the bill paid when the transaction had not actually been completed. Regardless, when the bill went unpaid, the system went up for grabs and rival player corporations pounced.
I’m not an EO player myself; I gave the trial a whirl once and it didn’t fit the niche I wanted it to. Events like this resonate with me, however. Despite the destruction and the loss of what people have invested themselves into, things like this are an amazing lure for massively multiplayer games - good ones, anyway.
A lot of MMOs revolve around continuous loot acquisition and scripted events. This is well and good, but if this were the sum total of the experience, it would wear thin quickly. That’s essentially a more difficult casino game, but with less of a payoff.
Players crave these events that are unscripted (or may be only partially scripted) and put the denizens of the virtual world in control of its destiny and be part of something larger than their individual characters.
I’m reminded of World of Warcraft’s Gates of Ahn’qiraj event some years ago. The players of each realm needed to pool resources and effort together in order to open the gateway to the new end-game raiding instance. An individual couldn’t pull this off on their own — they absolutely needed the support of one or more significantly established raiding guilds to do it. Champions stepped forward. Rival efforts, both within and across factions, emerged.
In the end, the realm found itself standing behind one player with the completed item to trigger the opening. Actually opening the gates triggered a day-long semi-scripted event that carried that cooperative spirit forward before the gates settled down and Ahn’qiraj was really open to the public.
In the end, the event was a technical misstep. At the time, Blizzard’s servers were not prepared to handle that many players congregating in one area and performing time-sensitive actions. The event attracted players from both of the otherwise isolated and generally combat-free player cities. But even in disaster, players banded together and the delicious marrow of the MMO experience was available to all.
* ISK cannot be converted into USD or any other real word currency, or they would have serious money laundering problems.
Kentucky Route Zero is an interactive story (a “game” if you prefer, but it resides in the hazy borderlands of play) that celebrates the rustic mysticism of Kentucky as one might the heather moors and glens of Scotland. It is a story revealed through the escapades of the eccentrics and the esoterics: mathematicians, artists, and specialists. It is told in episodes and, as of this writing, only the first two have been released.
Between episodes, the developers - Cardboard Computer - have been in the habit of releasing tech demos that enrich the events of the game through tangential digressions. The first of which was Limits & Demonstrations, which invites players to walk through a retrospective of the works of Lulu Chamberlain, a character who figures into the events of KR0. The more recent is The Entertainment, an Oculus Rift experiment playable on regular monitors as well.
This latter intermission presents a pair of stage presentations written by fictional author Lem Doolittle as presented by a central Kentucky theater company in the 1970s. One of these works is called The Bar-Fly, a pantomime of a hopeless drunk. The theatre company inserts the pantomime into another play, which serves to give the player a supposedly uncredited vantage point on that work. The other play is called The Reckoning, a tale about debt and desperation in a last-resort bar. The simultaneous performance is called The Entertainment.
I picked up a physical copy of the play when I noticed an easter egg. A self-published work probably wouldn’t have a Library of Congress number, and when I looked up the number in the book, it corresponds to Eugene O’Neill’s The Iceman Cometh, a play about self-loathing and lies in a last-resort bar. Intrigued, I picked up a copy and read both.
To say The Iceman Cometh influences The Reckoning heavily would be an understatement. The latter is essentially a love letter to the former. Because I’m probably the only person in the world who didn’t create it to pursue this particular twisting alley way of analysis, I’ve written this post to detail the items of homage that The Entertainment (TE) pays to The Iceman Cometh (TIC).
- The published copy of TE claims Library of Congress Card Catalog Number 57-6498. This number actually belongs to TIC.
- TE’s bartender is named Harry Esperanza. “Esperanza” is the Spanish word for hope. Harry Hope is the name of the bartender in TIC.
- A trio of TE’s characters bear the surname Slade. Larry Slade is one of the central characters of TIC.
- The patron of the TE Slade family is Lawrence. His wife calls him Larry on several occasions.
- The matron of the TE Slade family is Rosa. In TIC, Rosa Parritt is the name of Don Parritt’s mother. She was a one-time lover of Larry Slade in brighter days. In TE, Rosa Slade is married to Lawrence Slade.
- The daughter of the TE Slade family is Pearl. Pearl (no surname) is a minor character in TIC.
- Evelyn Hickman is the final character in TE’s The Reckoning (besides the first-person Bar-Fly). In TIC, Theodore Hickman (a.k.a. Hickey) is a central character.
- In TIC, Hickey is a hardware salesman whose late wife was named Evelyn. Hickey is known by the bar-flies to be a philanderer.
- In TE, Evelyn and her husband Ted (short for Theodore) own a hardware store fallen on hard times. Ted becomes a traveling salesman and Evelyn fears the solitude of traveling will lead him to philander.
- Both TE and TIC take place in Raines Law hotels. Raines Law left a loophole in its liquor tax that exempted hotel restaurants. TE celebrates the legend of bar owners who mocked the law by serving “brick sandwiches” - two pieces of bread with a brick between - to satisfy the food requirement.
- In TIC, Harry Hope hasn’t left his own bar/hotel in years, not since his wife Bessie died. In TE, Harry makes reference to his late wife Bess several times.
- "Sardonic" is a word that means "grimly mocking or cynical". Eugene O’Neill used it liberally in TIC, particularly when characterizing the speech of Larry. In modern writing it is considerably less common, so I attribute its frequent use in TE to be a stylistic homage to O’Neill.
- In TE, Lawrence protests his wife calling him Larry. “It sounds like an old man,” he says. In TIC, Larry Slade is an unkempt man in his 60s.
- In Scene 4 of TE, Evelyn at one point says, “Don’t be a fool. Buy me a drink.” In TIC, Hugo Kalamar is a Russian anarchist who spends most of the play passed out on a table. When he does wake up for brief moments, he usually demands of anyone and everyone, “Don’t be a fool. Buy me a trink!”
- In TE’s Scene 4, Lawrence Slade names Rosa’s manager at the supermarket where she works as O’Neill. Eugene O’Neill is the playwright of TIC.
There may well be more references to The Iceman Cometh written into The Entertainment that I haven’t spotted. The connection between the two is so far from accidental that it’s worth discussing sooner rather than later.
If you haven’t played Kentucky Route Zero, I strongly recommend it. Amongst gamers there is often discussion on the subject of video games as art. While I concede it may be debatable whether KR0 even qualifies as a game per se, I have never before seen such integration of art and experience in interactive entertainment. This title needs to be at the forefront of that discussion: it is contemplative and emulative of great art in its intermezzos and wholly unique and amazing in the course of its main themes.
The wait is finally over!
Anamanaguchi’s Endless Fantasy looks….pretty trippy! Splattered vinyl for the win.
Anamanaguchi did the fabulous chiptune soundtrack the 16-bit styled Scott Pilgrim vs. The World: The Game brawler from 2010. While electronic on vinyl isn’t my preferred format, they’ve done an awesome job with the presentation on this project.
You can listen into some tracks from the album at the band’s Soundcloud.
Not long ago, I promised a nephew I’d write up an email for him about opening his first bank account and learning how to manage his own finances. As I thought on it, I wanted to kick it off with a section on how to make sure his own password security is in order before he starts adding monied accounts to the mix. Then I thought about everyone who would benefit from the same thing and that list clocked in at just about every human being I know.
Why Does This Matter?
The weakest link in any security system is the human being: you and me. Hackers’ feats are glorified by Hollywood and the news media, but more often than not the way they win is by exploiting a person and not technology.
As far as the hacker is concerned, you are the first, last, and only line of defense between him and something of value. It’s more than just Twitter and Facebook accounts (though those have black market value as well) — it’s your money, and there’s more ways to get at that then just through your bank’s website. And your passwords are literally the key.
Hackers Don’t Care About Me…
They do, and they rely on your complacency and your assumption that you aren’t a target to take advantage of you.
Here’s why you are a target:
- Money: You don’t have to be a millionaire or even a ten-thousandaire to be worth robbing. Criminal networks are very good at stealing small amounts of money and, when you funnel it all into together it’ll fill Scrooge McDuck’s money bin.
- Email Accounts: When you reset your password, you get a reset code sent to your email. So if a hacker gets your email account password, they get just about all of your accounts. Even if you really truly have nothing of value, your email account can be used as a spambot to help them commit other acts of theft.
- Retail Accounts: Ever buy anything online? Does that retailer save your credit card information? Feel like buying gift cards for a hacker? Didn’t think so. This applies to stuff like your Apple ID too. Chances are, a lot of your accounts have ended up with your credit card on file.
OK, I Get It. I’m a Target. What’s the Defense?
There are three main principles to better passwords and better protection of your accounts:
- Longer passwords are stronger
- Complex passwords are stronger
- Reusing your passwords make them weaker
The first two have to do with an attacker’s ability to guess a password by brute force.
First, consider password length. Think of it like guessing a 3-digit luggage code. You’d start with 000, then 001, then 002… 10 digits per dial, three dials, that’s 10^3 = 1,000 total combinations, and you won’t have to search all of them. What if you had 5 dials? With 10^5 = 100,000 combinations the average search time will take a lot longer. The more dials, the harder it is to guess.
Now, complexity. What if the dials also had upper case letters? We’ve got 26 letters plus 10 digits… that’s 36 options per dial. Now our five dial system has 36^5 options, which is 60,466,176 total combinations. The more things on each dial, the harder it is to guess.
Is That Why Websites Make Me Use Upper Case, Lower Case, Digits, and So On?
Yes, and admittedly it sucks. Even worse, what most of these sites do is train you to make really bad passwords.
Complexity is more than just the classes of characters you use, though. Humans are predictable. Given all these hoops you have to jump through, would it be fair to admit that you’ve got a few passwords that look like this: GoTitans1!
Attackers’ have figured that out too. They’ll use dictionary attacks that try words and phrases with permutations of this kind of requirement satisfying tack-ons before they ever attempt a naive brute fore (e.g. “aaaaa”).
But, “GoTitans” Isn’t In the Dictionary…
Not Websters’, no. Hackers make their own dictionary to test in password permutations, and you can bet your butt every sports team in the country make the cut.
But, They System Locks My Account After A Few Failed Attempts!
This is where the third point comes in. They don’t need to attack that system directly.
You’ll see in the news where major websites have their password databases stolen. Sony Music, LinkedIn… These websites don’t store the passwords in plain text — they use hashes, which are the output of a one-way encryption that can’t be “un-hashed”. But there’s a catch.
When these websites are compromised, the attackers will safe and distribute the database of password hashes as quickly as they can get to it and then attack them offline later.
In many cases, the hash function is simplistic and deterministic. The same input always gives the same output. So, an attacker can hash “aaaaa”, and then compare that value to the one in the database. If it matches, they’ve discovered that password.
Computers have gotten so fast that brute forcing stolen credentials this way is very efficient. They can tear through a huge database of credentials in minutes with a high success rate.
LinkedIn Made Me Change My Password, So It’s Okay, Right?
At LinkedIn, yes. But did you use that same password at any other website?
Somewhere, someone has a record that your email address is associated with such-and-such password. If you’re using that same password elsewhere, they have your password to that website. And it doesn’t take a genius to think to guess that combination.
They can now attack another website and blindly try your known username/email address and password to get in and empty your account.
You can check https://shouldichangemypassword.com/ to find out if your widely-reused password is already compromised. Never give a website you don’t know your username and password to a different service — this site is alright because it only uses your email address as a key.
If you use the same key in all of your locks, then I only need to compromise one key to get access to anything I know (or suspect) is yours. To avoid this, you need to not reuse passwords from site to site, the third point up above.
The bar is set pretty high, and it only gets higher as the days go by. You’ve never had more sensitive information resident on the Internet before today. Tomorrow, there’ll be even more.
My next post will detail how you can change your habits around passwords to protect yourself.
I received my @kickstarter backed copy of Soul of Science (plus rewards) by Daniel Martin Diaz last week!